Centre for Internet and Society

Short-Term Consultant Required: Wordpress Webmaster

praskrishna — 2012-03-13T11:27:34Z

CIS wishes to commission the improvement of the Privacy India website. The Privacy India website should have a well-organized interface and easily navigable

Requirements:

WordPress developer with sufficient relevant experience
Experience in content management
Proven webmaster track record
Savvy and creative

To apply for this position, please send your CV to Natasha Vaz (natasha@cis-india.org)

Click here for the Privacy India website.

For more details visit https://cis-india.org/news/wordprss-webmaster

Short-Term Consultant Required: Events Coordinator

praskrishna — 2012-03-13T11:22:08Z

CIS wishes to commission the planning of 3 privacy meetings in total, scheduled during May and June. Meetings should be well-organized, planned and promoted effectively.

The Events Coordinator should:

Choose a central and convenient Venue
Create the program
Involve relevant multi-stakeholder partners, participants and media
Work with the Privacy India team to organize panels of expert speakers on the topic of discussion

To apply for this position, please send your CV to Natasha Vaz (natasha@cis-india.org)

For more details visit https://cis-india.org/news/events-coordinator

India’s Big Bet on Identity

praskrishna — 2012-03-07T05:44:12Z

The world’s largest biometric authentication system reaches its first major milestone, but lots of challenges remain, writes Joshua J. Romero in ieeespectrum. Sunil Abraham was quoted in this story which was featured in March 2012 edition.

Driving around Bangalore, it’s immediately clear that the infrastructure hasn’t kept up with the IT boom in this once-sleepy South Indian city. Auto rickshaws, scooters, and motorcycles squeeze into a tight phalanx at each red light and choke the air with exhaust. Construction, such as the concrete supports of the new metro rail line that looms overhead, causes detours everywhere, and in spots the entire road abruptly disintegrates into gravel.

But something miraculous happens as you make your way south, past the outer ring road. A ramp lifts a select few vehicles out of the weaving traffic and onto an elevated tollway, where you suddenly have a bird’s-eye view of the urban landscape. This is the road to Electronic City, an oasis of glass and steel high-rises overlooking pristine black asphalt paths that snake through the perfectly manicured lawns of tech companies like Wipro, IBM, and Infosys Technologies.

“If you can have such good roads in the Infosys campus, why are the roads outside so terrible?” That’s the common question foreign visitors would ask Nandan Nilekani, one of the company’s cofounders. “Politics” was his usual reply, according to Nilekani’s 2008 book, Imagining India. Now the man who has been called the Bill Gates of India has jumped into politics to try to use what he learned at the IT giant to transform the dysfunctional country that lies beyond the borders of Electronic City.

Since July 2009, Nilekani has been a cabinet minister, leading hundreds of engineers and entrepreneurs as chairman of the Unique Identification Authority of India (UIDAI). By the most conservative estimates, at least a third of the country’s 1.2 billion citizens live below the poverty line and outside the formal economy. The UIDAI is expected to connect those hundreds of millions of people to government programs, save public money, reduce fraud and corruption, and foster new business opportunities—all by creating an unprecedented biometric system and outside the formal economy. The UIDAI is expected to connect those hundreds of millions of people to government programs, save public money, reduce fraud and corruption, and foster new business opportunities—all by creating an unprecedented biometric system.

“On the one hand, within India and across the world, people of Indian descent have done some remarkable work,” says Nilekani. “And on the other hand, here is a country that needs to solve some very basic problems. This project marries these two worlds.” UIDAI plans to use fingerprints and iris scans to assign every person in the country a unique 12-digit ID number that can be verified online. It’s one of the biggest IT projects in the world, and getting bigger: By early February, the UIDAI had issued 130 million ID numbers, and it can issue up to a million more IDs every day. The agency has set up 36 000 enrollment stations staffed by 87 000 certified enrollment operators. In India the project is called Aadhaar, which means “foundation” or “support,” because it’s meant to be a fundamental technology platform that will enable dozens of new public and private services to be created.

That’s if it all works. It’s easy to list major challenges: How exactly do you collect biometrics from every single person in the world’s second most populous country, especially those living at the margins? How do you keep bad data from getting into the database in a country rife with corruption? And how can you build the entire system around online authentication in a country where fewer than one in 20 people have access to the Internet?

The answers to these questions are getting more than the usual amount of scrutiny, because a lot of political fortunes are riding on the UIDAI.

The program has been heavily supported by the ruling Indian National Congress party; Nilekani was appointed by the prime minister himself, Manmohan Singh. But Singh and his Congress party have had a difficult time enacting many of their biggest policy goals, and the UIDAI has increasingly become the target of criticism.

Earlier this year, the whole scheme seemed in imminent danger of collapse, when a parliamentary committee killed the bill that would have given the program statutory authority, and a political turf war erupted between the UIDAI and the National Population Register, another government project collecting biometrics for the national census. But by late January the two sides had reached an agreement to share biometric data collection, and Aadhaar is once again moving full steam ahead with a new mandate and an estimated budget this year of 15 billion rupees [PDF] (about US $300 million).

Photo: Joshua J. Romero

EXISTING DOCUMENTS: A poster lists the variety of IDs a  person can use to register for an Aadhaar number.

To understand why the government has invested so heavily, it helps to know the current state of affairs in India. Aadhaar is meant to provide a form of identification that’s free, national, impossible to counterfeit—and available to everyone. “There’s an ID divide,” Nilekani explains, between people who have multiple official IDs and the hundreds of millions who have none. Only about 60 million people in India have passports, he says, and only about 100 million have photo ID bank cards. The most prevalent document is a voter ID card, which has been issued to about 700 million people, covering just over half of the country. But these and the rest of the official IDs created by the country’s vast bureaucracy all have shortcomings.

The primary reason for creating a biometric ID system is to give India’s poorest citizens better access to an array of welfare programs. India spends about 2 percent of its gross domestic product on social programs like the Public Distribution System, which provides subsidized rice, wheat, and other staples, and a rural employment scheme that guarantees 100 days of work. But all such programs suffer from severe “leakage”: According to the World Bank, corrupt officials and middlemen siphon away 59 percent of the money before it reaches the intended recipients. Eventually, the government hopes to provide funds directly to each person who needs them.

Most states issue ration cards, but they usually aren’t valid in other states. An official ID that can be used throughout the country is increasingly important as more and more people move away from their hometowns to follow employment, Nilekani says.

Complicating the problem further, existing ID cards are easy to duplicate. Some states have more names on their food ration lists than there are people living in the state. To fight counterfeiting, the Aadhaar team decided to use biometrics instead of issuing just another ID card. From the beginning, they consulted biometric experts, used existing standards when they could, and studied similar systems like the U.S. Visitor and Immigrant Status Indicator Technology program, run by the U.S. Department of Homeland Security.

One thing the team realized early on is that a single biometric measurement wasn’t enough to guarantee uniqueness. In proof-of-concept studies, researchers determined that only by using all 10 fingerprints and a scan of both irises could error rates be kept manageable. Adding iris scans also makes the program more inclusive for people whose fingerprints have been worn down by manual labor.

Photos, clockwise from left: Ruth Fremson/The New York Times/Redux; Joshua J. Romero (2)
NECESSARY GEAR: Each enrollment station has the same basic set of equipment, including an iris scanner [top], a fingerprint scanner [bottom right], a webcam and light [bottom left], a laptop, a second monitor for the resident to view, and a scanner and printer to handle documents.

Getting an Aadhaar number is not a quick process. One Friday after midnight, I watch dozens of families wait patiently in a municipal building where only half the lights are on and there’s always a baby crying. While Anurodh Kanchan waits, he explains that he came at this hour because he’d heard the lines were even longer during the day. He’d already been once before to schedule this appointment. Now his 7-year-old daughter dozes on his wife’s shoulder as the whole family waits another half an hour for the enrollment agent to return from a break.

Hiring and training people to work as agents has been one of the project’s biggest logistical challenges. The UIDAI outsources enrollment to “registrars”—often state governments or banks—which in turn hire accredited agencies to actually set up and staff the centers. The agencies get paid a flat rate for each successful enrollment, as do the agents they hire. A coordinator for one of the largest agencies told me that his organization had significantly overestimated how many enrollments an agent could complete in a day. UIDAI says that an average station (see photos, “Necessary Gear”) can process each enrollment in under 10 minutes, but in the days I spent observing, it wasn’t uncommon for the process to take twice as long. And if you’re an agent looking at a line of people stretching out the door, it’s easy to see how you might begin to rush through your tasks.

That’s why enforcing quality is left to a piece of software known as the enrollment client, installed on each agent’s laptop. The program manages every step of the process and was developed jointly by engineers at UIDAI and MindTree, an Indian IT company. Because enrollment often takes place in remote locations with no Internet access, the client must be fully independent and be able to run off a single laptop. The developers also had to make sure that the enrollment client could work seamlessly with any of the 11 biometric devices from various manufacturers that had been certified for use. And the initial version had to be built fast: MindTree won the contract at the end of April 2010, and the UIDAI wanted to enroll the first resident by that August.

MindTree met the deadline, and the client it designed now manages to prevent and correct most errors an enrollment agent might make. In addition to a simple quality check, the software looks for self-consistency—for instance, verifying that each fingerprint isn’t coming from the operator or another recently enrolled resident and that all 10 fingerprints and two irises are distinct from each other. If something goes wrong in a biometric capture, the software tells the operator how to correct it—for instance, it can distinguish between a facial photo that’s too dark and one in which the person was photographed at the wrong angle.

Still, over the last 21 months, the software engineers have had to continually improve the program to address new challenges encountered in the field. For example, when the UIDAI began enrolling people in the Punjab region of North India, where many men wear long beards and large turbans, enrollment agents had a hard time taking a photo that the software considered acceptable: The turban would be interpreted as an unacceptable background, or the automatic cropping feature would crop around the turban instead of the face. The software team was able to quickly tweak the parameters and release a new version of the client so that enrollment could continue.

It isn’t just the biometric collection that’s tricky. A resident must also supply basic demographic data—name, age, gender, and address. Residents can fill out paper forms in any of the 16 official Indian languages, which agents must first transfer to the computer and then translate into an English version of the form. This is by far the most time-consuming part of the process, and MindTree has tried to speed it up by building transliteration into the client software. But Indic languages have many variations—some are written right to left, and many use unique character sets. Still, the agent is expected to check the results and clean up minor mistakes.

There are obviously both privacy and security concerns when you’re collecting personal data from more than a billion people. “You can’t change your biometrics,” points out Sunil Abraham, the executive director at the Center for Internet and Society, in Bangalore, so if they become compromised, it’s a difficult problem to fix.

Among the precautions the UIDAI takes is to encrypt all data as soon as they’re collected. The data can be decrypted only by UIDAI servers, so the records aren’t even accessible to the operator or enrollment agency that collected them. At the end of each day, all the encrypted enrollment data are stored on USB flash drives, and the drives are transported to a place with Internet access so the data can be uploaded to UIDAI’s servers. It’s in the best interests of the enrollment agencies to safeguard the data, because otherwise they won’t get paid.

From the enrollment centers the action moves to the racks of servers at the UIDAI Central Information Data Repository, which is also in Bangalore. Here is where deduplication—checking each new enrollment against every other record in the database—will arguably make this identity scheme rise above the rest. Ensuring that no person can get two numbers is key to making biometrics a worthwhile investment. A few years ago, one Indian state collected biometrics for everyone below the poverty line, but it didn’t have the technology or a plan to prevent duplicates. It ended up capturing 1.2 times the population, which resulted in a significant leakage of benefits.

Many critics, including members of Parliament, have doubted that it’s even possible to deduplicate records from the entire Indian populace. It’s certainly a big task. In order to issue 1 million Aadhaar numbers in a single day, the current maximum rate, the data center must conduct 100 trillion person matches. To improve this process, the UIDAI came up with an unusual arrangement. Rather than hiring a single firm for the job, it awarded the project to three contractors, each responsible for processing a portion of the enrollments, with the overlapping records used to compare performance between the systems. This arrangement lets the UIDAI know if a system isn’t working correctly and also gives the companies a financial incentive to improve their software—they’ll get to process more records, and get paid more, if their products perform better. The vendors were even required to use the same kind of hardware to build their systems, so the agency isn’t tied to any one company.

In late January, the UIDAI released a report [PDF] that for the first time detailed the results of this deduplication effort. There are two primary factors that determine the accuracy of a biometric system: the false-positive rate, which in this case is how often a newly registered person is incorrectly judged to be already enrolled, and the false-negative rate, which is how often true duplicates are not recognized as such. To measure the false-positive rate, the UIDAI tested 4 million unique records against a subset of the enrollment database containing 84 million records: Of the unique records, 2309 were falsely rejected, for a false-positive rate of 0.057 percent. The agency also tested 31 399 known duplicates. The system caught all but 11, for a false-negative rate of 0.035 percent.

The false-positive rate applies to the total number of records in the database. As that number grows, the rate should increase in a linear fashion, because there are more opportunities for false matches. The false-negative rate, on the other hand, applies only to the small minority of enrollments that really are true duplicates (the UIDAI estimates that these make up only 0.5 percent of all incoming enrollments). Because the false-negative rate doesn’t depend on the total number of records, it should remain steady unless more people try to enroll multiple times.

R.S. Sharma, the director general of UIDAI, says that preventing all duplicates with technology alone is impossible. There are some people who just can’t be uniquely identified through biometrics, because the data for them aren’t good enough—children under age 5, for instance, and people with multiple disabilities. That’s why the responsibility for accuracy and uniqueness isn’t all left up to the software. Several full-time employees manually review the roughly 0.2 percent of cases that the software can’t handle, resolving errors and looking for evidence of fraud.

Even if the system isn’t perfect, it’s likely to be much better than any existing alternative, simply because it will eliminate “ghost identities,” says M.R. Madhavan, who works at the Centre for Policy Research, in New Delhi. “At least people who died in 1995 or 2005 will not get into the system,” he says.

Photo: Joshua J. Romero

AUTHENTICATION TERMINAL: Widespread use of Aadhaar will  rely on biometric terminals, like this prototype at MindTree.

Now that the UIDAI has shown it can collect biometric and demographic data and eliminate duplicate enrollments, much of the attention will shift to the authentication system, where people can prove their identity with just the swipe of a finger. Such systems are still under development, so most residents I met weren’t clear about the benefits of the program. When I asked people why they were enrolling, they often had vague reasons: “It might make it easier to get my benefits,” said one middle-aged woman in Bangalore. “I heard you’ll need it to buy heating gas,” said another woman. “I think it’s mandatory,” an elderly man told me. Nilekani thinks that getting authentication services up and running will be the best way to demonstrate the power of the entire project.

Here’s how such a futuristic system might work: Walking up to a wirelessly connected terminal at a local shop, a person will type in his name and Aadhaar number, and then he’ll scan his fingerprints. The data will be sent to a central database, where the Aadhaar number will be used to locate his record. The submitted name and biometric data will be compared to those on file, and the software will determine whether they match.

The UIDAI imagines that such biometric terminals will eventually be ubiquitous. The first devices deployed will likely be micro-ATMs in rural shops. These machines process transactions electronically, just like a full-size ATM, except they don’t store and dispense cash—that gets handled from the shopkeeper’s till. The hope is that such systems will deliver financial services to the 40 percent of the Indian population who have never had bank accounts. When people enroll for Aadhaar, they simply need to check a box and an Aadhaar-enabled bank account will be created for them.

In January, the UIDAI began a pilot project in the state of Jharkhand, where workers in the rural employment program could collect cash payments by scanning their fingerprints at a micro-ATM. Another pilot program in Maharashtra transferred small amounts of money to individual Aadhaar numbers, showing that bank servers could be easily linked with the UIDAI system.

The authentication system is already available as an application programming interface (API), which means it won’t be limited to just government programs and banks. Private service providers could use it to verify new customers as well. Take India’s vaunted mobile-phone culture: Phone companies are currently required to collect and retain significant documentation for every person they sell a SIM card to, as I found out in the two days I spent collecting the photos and local references I needed to get one myself. “If you look at any service provider, they’re not going to offer the mobile-phone service unless they verify who you are,” says Bala Parthasarathy, an entrepreneur who worked in Silicon Valley but came back to India to volunteer on the project for a year. Parthasarathy says that using Aadhaar for identity verification could provide the telephone companies with major savings.

Still, setting up a nationwide network of biometric terminals has plenty of its own challenges. First, India will need better connectivity. Wireless voice networks now cover most of the country, but wireless data networks have trailed behind. Current penetration of 3G is mostly just in the cities, says Debabrata Das, an IEEE member and a professor of electrical engineering at the International Institute of Information Technology, Bangalore, who has been studying the network challenges of authentication as a technical advisor for the state of Karnataka.

The API will also need to be flexible enough to handle variations in the demographic data that are submitted. The system can’t enforce strict matches: Many Indians use initials in their names, and there is no guarantee that they will always spell their names the same way in English. Further, sometimes a married woman will use her father’s family name instead of her husband’s. Because of the ambiguity in names and addresses, the database must be able to perform partial and fuzzy matches. Eventually, Sharma says, the UIDAI hopes to be able to do database matching for all the Indian languages as well, so the API will continue to undergo revisions.

Now the UIDAI must wait for its partners to begin taking advantage of the system, and Nilekani admits that starting up such services is largely beyond his control. Cooperation with other agencies and industries is all part of Nilekani’s approach to how government initiatives should work. “The big thing to my mind has been, How do you create a model of change, and how do you carry a lot of people with it? How do you think this through in a way that everyone comes on board?” he says. In building the project to this point, he’s managed to bring, if not everyone, then certainly a pretty diverse crowd: technical experts; national, state, and local officials; banks and businesses; and all those millions who willingly wait in line for hours.

“Everyone puts their own aspirations on it…like Obama,” he jokes. But the downside of being so inclusive is that as the project matures, it may be difficult to keep all the interested parties happy, and there’s bound to be disappointment if the project fails to achieve all its lofty ambitions.

The project has made it this far by adapting quickly as problems arise. “Think of it as multigeneration, continuous improvement,” Nilekani says. “You launch and get feedback and you get criticism. You need to build a rapid feedback loop, which is what we’ve built.”

Read the original here

For more details visit https://cis-india.org/news/big-bet-on-identity

Privacy in India — An Early Draft

Natasha Vaz — 2014-02-28T05:05:21Z

Privacy India in partnership with Privacy International, UK, Society in Action Group, Gurgaon, and the Centre for Internet and Society, Bangalore is pleased to bring you the draft chapters of its book on privacy in India. These include the Country Report, Telecommunication and Internet Privacy, E-Governance Identity and Privacy, Finance and Privacy, Health and Privacy, Transparency and Privacy.

Note: The chapters are an early draft which is in the process of being reviewed and updated. We greatly appreciate your comments and feedback.

Download the chapters below:

Country Report [PDF Document, 925 Kb]
Transparency and Privacy [PDF Document, 383 Kb]
Freedom of Expression and Privacy [PDF Document, 365 Kb]
Health and Privacy [PDF Document, 1146 Kb]
Finance and Privacy [PDF document 204 Kb]
E-Governance, Identity and Privacy [PDF Document, 554 Kb]
Telecommunications and Internet Privacy [PDF Document, 471 Kb]
Consumer Privacy [PDF, 390 Kb]
Law Enforcement, National Security, and Privacy [PDF, 422 Kb]

For more details visit https://cis-india.org/internet-governance/privacy-in-india-draft-chapters

Unique ID System: Pros and Cons

Natasha Vaz — 2012-02-29T11:28:58Z

On September 16, 2011, the Citizen’s Voluntary Initiative for the City and Centre for Advocacy and Research organized a public consultation titled “Unique ID System: Pros and Cons” in Bangalore. The consultation was on the utility and impact of the UID system in India and featured a panel discussion with T. Prabhakar, public relations officer, e-governance, Ashok Dalwai, UIDAI regional deputy director, Somashekar V.K., managing trustee of Grahak Shakti and Col. Mathew Thomas, civic activist and retired army officer.

Col. Mathew Thomas began his presentation by a comparative analysis of the Indian and the British experience in providing a unique identity to its citizens. In Britain, this initiative was labelled as ‘intrusive bullying’ and ‘an assault on personal liberties’. Additionally, the government recognized that they must conduct their business as servants of the public and not as their masters. The project was terminated on the grounds that it could not achieve the claimed objectives, and it was dangerous costly.

Nevertheless, the unique identification (UID) system in India is being perscribed as a prestigious project that will eliminate identity fraud, financial exclusion, enhance accessibility for the poor, enable the government to better manage welfare schemes and target corruption in social programs such as the National Rural Employment Guarantee Act (NREGA), the public distribution system (PDS), public health and financial inclusion.

Col. Mathew Thomas chronicled ID schemes. He explained that the advent and growth of information technology increased the availability of technology, which led to a commercial interest to exploit technology for profit. Technological solutions were heavily marketed, however, it is a mistaken belief that there is a technological fix to every problem (technology could solve any problem). Post 9/11 paranoia resulted in the notion that ID cards were the best possible counter measure to terrorism. “The inherent ridiculousness of this notion is that militants do not come with ID cards, but with AK-47s, and possession of ID cards or citizenship does not prevent one from becoming a terrorist”, says Mathew Thomas. National ID cards do not stop or deter terrorist actions.

India’s history with the UID project can be traced to the recommendations made by the Kargil Review Committee chaired by K. Subrahmanyam.The Committee recommended the issuing of ID cards to people in border areas to prevent infiltration and extend the system to the whole country to combat terrorism. Consequently, in 2003 the Citizenship Act of 1955 was amended by the NDA Government so as to compulsorily register all citizens into a “National Population Register” (NPR) and issue a Multi-purpose National Identity Card (MNIC). The NPR database will be inked to the UID. Subsequently, the UPA Government promoted the UID, as a pro-poor project.

Col. Mathew Thomas discussed the various questionable aspects of the UID project: its legality, financial prudence, ethics and its uses and abuses.

UID and Legality

Firstly, there is no law governing the functioning of the Unique Identification Authority of India (UIDAI). The illegal implementation of the UID is a complete insult to the Parliament and citizens, considering that the National Identification Authority of India Bill 2010 was drafted long after the implementation of the UID commenced.

UID and Financial Prudence

The high-level of apprehension surrounding the UID project stems from the fact that a project of this magnitude, cost and impact on the entire population would be undertaken without a feasibility study and a cost-benefit analysis. There exist two studies: one by the London School of Economics, regarding the UK project, and another by the Indian Institute of Management Ahmedabad, on UID in India. Both have concluded that such schemes are unworkable and too costly.

UID and Ethics

Ethical questions related to the UID are regarding its history, participation and ubiquity. Firstly, the UIDAI website is silent on the history prior to 2006. It fails to mention the significant historical roots of the UID, specifically, the Kargil War and the National Population Registry. Second, the UID has been promoted as a pro-poor project, whereas huge possibilities for commercial exploitation exist. Lastly, the UIDAI asserts that enrollment for the UID is ‘voluntary’. Although participation in the UID scheme is supposed to be voluntary, service providers can make it compulsory, thereby making it ubiquitous. A subtle campaign is being carried on, hinting at denial of benefits and services to those without UID.

Uses and Abuses

UID claims to transform governance, make ‘Bharath’ part of the growth process, plug ‘leakages’ & ‘slippages’ in welfare schemes, bring about all round prosperity and put India on a ‘fast-track’ growth by becoming the pivot around which all anti-poverty measures will rotate. One can conclude that UID is a panacea or a ‘one size fits all’ solution. Mathew Thomas questioned how these ambitions can be achieved by fingerprinting and scanning the irises of 1.2 billion people and storing the data for use by agencies responsible for the delivery of services.

These claims revolve around the assumptions that a lack of identity denies people welfare benefits; denies access to opportunities and services; and that a unique identification and de-duplication using biometrics would prevent “leakages”, “slippages” and in effect, all corruption. These assumptions need to be tested and verified so as to ensure validity.

The Public Distribution System and UID

Col. Mathew Thomas examined the PDS to analyze the use and claims of UID. He described the supply and demand of the PDS. The ‘supply’ side involves the fixing of minimum support prices, procurement by the centre and state governments, transport to FCI and state storages, distribution by centre to states and distribution by states to fair-price (ration) shops. All of the stages are affected by corruption and surprisingly UID beneficiaries have no role in any of the aforementioned stages.

‘Leakages’ in the supply process could potentially occur during the fixing of the minimum support prices (if deals exist with large farmers), during procurement (if they lift less quantity than what was paid for) and during accounting and storage (if they write off larger quantities than the actual damage; write off against bogus ration-cards; and show more quantity in storage and shops than is actually there).

The ‘demand’ process of the PDS system requires for state governments to decide on the eligibility of BPL people, issue ration cards, allocate ration-card holders to specific ration shops and requires the ration-card holders go to designated shops and collect entitlements. Corruption is possible, probable and happens in this discretionary decision-making. However, the only stage at which UID would find some use, if at all, is when ration-card holders collect rations.

Col. Mathew Thomas provided an excellent example of the government’s lopsided priorities. He describes the UID in PDS as the story of the ‘fence eating the corn’. The ‘fence’ then says, “let’s brand the cattle to find who is stealing the corn!”

The practicality of utilizing UID for authentication in the PDS system is a huge conundrum. Considering that the process to authenticate at ration shops requires all shops to have scanners (approximately six lakhs) which must be connected to a network and power at all the time.

Another problem surrounds the collection of ration. Ration-card holders do not always go to collect rations. There could be occasions where one family member goes for collection or one person collects rations for a number of families. The worst part of the UID application to the PDS system is that the procedure puts the BPL person at the mercy of the ration-shop keeper. He could simply deny rations, saying, “Authentication failed”.

The potential abuses of the UID could arise from the large collection of fingerprints that will be with various government officials and private agencies which could be used to foist false criminal cases against innocent people, forge title deeds, sale deeds, promissory notes wills, etc., and could target individuals and communities.

Col. Mathew Thomas concluded by explaining the main risks of any centralized database, it can be hacked and can crash. Professor Ian Angle, of the London School of Economics, has said that the UID will be "Olympic games of hacking", providing people with the biggest challenge to hack through.

Making a point: (From left) Public Relations Officer, e-governance, T. Prabhakar; UIDAI Regional Deputy Director Ashok Dalwai; Managing Trustee of Grahak Shakti Somashekar V.K.; and civic activist Mathew Thomas at a panel discussion in Bangalore on Friday. — photo: V. Sreenivasa Murthy.

Photo Source: From the Hindu, September 17, 2011, http://goo.gl/gCnqK

Note: Unfortunately, the other presentations were conducted in Kannada and could not be understood by the author of this blog.

For more details visit https://cis-india.org/internet-governance/unique-id-system-pros-and-cons

All India Privacy Symposium

Natasha Vaz — 2012-03-01T06:16:53Z

Are we citizens or subjects? Experts gather in Delhi for public symposium on privacy, transparency, e-governance and national security in India.

Following 18 months of research by Privacy India, the Centre for Internet and Society and the Society in Action Group, with support from London-based Privacy International, the groups today held an All India Privacy Symposium at the India International Centre in New Delhi. Speakers included Supreme Court Advocate Menaka Guruswamy, Microsoft Director of Corporate Affairs Deepak Maheshwari, social researcher and activist Usha Ramanathan, journalist Saikat Datta and former Chief of RAW Hormis Thorakan.

A few themes recurred across all five panels (Privacy and Transparency, Privacy and E-Governance Initiatives, Privacy and National Security, Privacy and Banking, and Privacy and Health). Perhaps the most prominent was the repeated allegation that the Indian government' technological illiteracy is putting its citizens at risk. One panelist described how an RTI request had recently revealed that the government had no idea how many of its own computers had been hacked or how much data had been stolen – even though this information has been in the public domain since the Wikileaks diplomatic cable releases.

The increased use of public-private partnerships and outsourcing was also a major cause for concern. Public money is being funneled into privately-held commercial enterprises – which, unlike public bodies, are not subject to RTI requests – and spent on e-governance initiatives like UID. Social researcher Anant Maringati spoke of a "hybrid world" in which government projects were fulfilled by completely unaccountable private actors. Advocate Malavika Jayaram remarked that, while private companies tend to have far greater technological expertise than government officials, they are ultimately motivated by profit rather than public benefit; we should therefore ask ourselves whether they can really be trusted with our information.

Government surveillance for the purposes of crime prevention also came under scrutiny, when Saikat Datta described how he himself had been put under illegal surveillance by an unauthorized intelligence agency. He warned of the dangers of excessive wiretapping, a practice that currently generates such a “mountain” of information that anything with real intelligence value tends to be ignored until it is too late, as happened with the Mumbai bombings in 2008. It is clear that the Indian government’s surveillance and interception programmes far exceed what is necessary for legitimate law enforcement.

Overall, panelists at the conference painted a vivid picture of India as a state that has made a habit of invading the privacy of individuals on a massive scale in the name of public benefit and law enforcement. Yet there is a clear sense that the benefits to society are not outweighing the costs to the individual. As Usha Ramanathan commented: “The question is, do we think of ourselves as citizens – or as subjects?”

See the webcast of the event here

For more details visit https://cis-india.org/internet-governance/all-india-privacy-symposium

The High Level Privacy Conclave

Natasha Vaz — 2012-03-01T06:09:21Z

India in dire need of privacy law; experts say government is ironically creating huge national security risks in attempts to prevent crime and terrorism.

Privacy India, the Centre for Internet and Society and the Society in Action Group, with support from Privacy International, have spent 18 months studying the state of privacy across India, conducting consultations in Kolkata, Bangalore, Ahmedabad, Guwahati, Chennai and Mumbai. Today, the results of their research were discussed by representatives from government, industry, media and civil society at a high-level conclave in Delhi. In attendance were Manish Tewari MP, Microsoft Director of Corporate Affairs Deepak Maheshwari and P.K.H. Tharakan former Chief of the Research and Analysis Wing. A privacy symposium open to the general public will be held tomorrow afternoon at the Indian International Centre.

The 130-page long Country report details how government bodies like the National Technical Research Organization (NTRO) engage in pervasive and frequently unauthorized wiretapping, listening in on the private conversations of politicians and ordinary citizens alike. The Cabinet Secretary himself, in a report last year, noted that a body like the Central Board of Direct Taxes should never have been authorized to conduct telephone tapping, as the Supreme Court had long ago made clear. Privacy problems are arising from UID, NPR, and other e-governance projects that involve the creation of databases and the collection of personal information. Indian citizens are losing the ability to control who has access to their information, what that information says about them and how that information is used.

Overall, the study paints a picture of a dysfunctional system, with multiple pieces of legislation dealing with sectoral privacy-related issues like health, banking, phone tapping etc and no overarching legal guarantee of privacy. As Manish Tewari observed today, there is a nationwide lack of understanding about new technologies and judges are very rarely technologically literate. This has created a situation in which the government's efforts to fight crime and terrorism by intercepting communications has horribly backfired. By building backdoors into communications systems to allow lawful access, and by restricting cryptography to a 40-bit limit, the authorities have created serious vulnerabilities in India's communications system that can be easily exploited by any malicious third party or foreign government.

Gus Hosein, Executive Director of Privacy International: "In their efforts to preserve and defend democratic society, India has undermined the very thing it wanted to protect. Both citizens and state are now at serious risk of being spied upon by anyone with a small amount of technological know-how and a computer."

Usha Ramanathan, social and political activist, said: "In the name of state transparency, government projects are in fact rendering citizens transparent to the State, rather than the other way round. A comprehensive privacy law for India cannot come soon enough."

Privacy India

Privacy India was established in 2010 with the objective of raising awareness, sparking civil action and promoting democratic dialogue around privacy challenges and violations in India. One of our goals is to build consensus towards the promulgation of comprehensive privacy legislation in India through consultations with the public, policymakers, legislators and the legal and academic community.

For more details visit https://cis-india.org/internet-governance/the-high-level-privacy-conclave

All India Privacy Symposium Webcast

praskrishna — 2012-02-08T08:20:08Z

Welcome to the Webcast of the All India Privacy Symposium at the India International Centre in New Delhi on 4 February 2012.

Welcome & Introduction to Privacy India

Elonnai Hickok, (Policy Advocate, Privacy India)

Panel I: Privacy and Transparency

Moderator:

Sunil Abraham, (Executive Director, Centre for Internet & Society)

Poster: Srishti Goyal, (Law Student)
Panelists:

Ponnurangam K, (Assistant Prof, IIIT New Delhi)

Chitra Ahanthem, (Journalist, Imphal)

Nikhil dey, (Social & Political Activist)

Deepak Maheshwari, (Director Corporate Affairs, Microsoft)

Gus Hosein, (Executive Director, Privacy International, UK)

Panel II: Privacy and E-Governance Initiatives

Moderator:

Sudhir Krishnaswamy (Professor, Azim Premji University)

Poster: Adrija Das,
Panelists:

Anant Maringanti, (Independent Social Researcher)

Usha Ramanathan, (Advocate&Social Activist)

Gus Hosein, (Executive Director, Privacy International, UK)

Apar Gupta, (Advocate, Supreme Court of India)

Elida Kristine Undrum Jacobsen (Researcher at the International Peace Research Institute, Oslo)

Panel III: Privacy and National Security

Moderator:

Sunil Abraham, (Executive Director, Centre for Internet & Society)

Poster:

Suchitra Menon, (Law Student)

Panelists:

Menaka Guruswamy, (Advocate, Supreme Court, New Delhi)
Prasanth Sugathan, (Legal Counsel, Software Freedom Law Center)
Oxblood Ruffin, (Cult of the Dead Cow Security and Publishing Collective)

Panel IV: Privacy and Banking

Moderator:

Prashant Iyengar (Associate Professor, Jindal Law University)

Poster:

Malavika Chandu

Panelists:

M R Umarji, (Chief Legal Advisor, IBA)
N A Vijayashankar, (Cyber Law Expert)
Malavika Jayaram, (Advocate, Bangalore)

Panel V: Privacy and Health

Moderator:

Ashok Row Kavi, (Journalist & LGBT Activist)

Poster:

Danish Sheikh, (Alternative Law Forum)

Panelists:

K K Abraham, (President, Indian Network for People with HIV)
Dr. B S Bedi, (Advisor, CDAC & Media Lab Asia)
Raman Chawla, (Senior Advocacy Officer, Lawyers Collective)

The Way Forward

Natasha Vaz, (Policy Advocate, Privacy India)

For more details visit https://cis-india.org/all-india-privacy-symposium-webcast

New Bill to decide on individual’s right to privacy

praskrishna — 2012-02-07T07:19:07Z

A group of experts would identify issues relating to privacy and prepare a report to facilitate authoring the Privacy Bill. Vishwajoy Mukherjee's article was published in Tehelka on 6 February 2012.

American jurist William J Brennan once famously remarked, “If the right to privacy means anything, it is the right of the individual to be free from unwarranted governmental intrusion.” Now the Government of India is on the verge of formulating, for the first time, a Privacy Bill that will lay down a specific framework to adjudicate an individual’s right to privacy.

The Planning Commission has constituted a small group of experts under the chairmanship of Justice A P Shah, former Chief Justice of the Delhi High Court, to identify issues relating to privacy and prepare a paper to facilitate authoring the Privacy Bill. The group will be studying the privacy laws and related bills promulgated by other countries and will also be analysing the impact of various programmes being implemented by the government, from the perspective of their impact on privacy. A detailed report with suggestions and remarks will then be handed to the Planning Commission by 31 March.

In the run-up to the formulation of a new Privacy Bill in India, an All India Privacy Symposium was held on 4 February to discuss aspects of privacy in the context of transparency, national security and internet banking. One of the most vociferous oppositions to the idea of privacy becoming an enshrined right for individuals, has come from those who believe that national security is of paramount importance. “The notion that one has to choose between privacy and national security is a false dichotomy of choice… When the judiciary adjudicates between privacy and surveillance, privacy in almost all cases loses. Especially when the word terrorism is invoked,” said Oxblood Ruffin, a member of the Cult of the Dead Cow, an information security and publishing collective. Speaking at the conference Ruffin stressed on the idea that the State shouldn’t act as a “peeping Tom” but instead respect the “sovereignty of its people.”

One of the more stark examples, in recent years, of the State clamping down on individual rights, such as the right to privacy, on the pretext of national security, is the Patriot Act in America. The Patriot Act was passed in the United States of America in the immediate aftermath of the September 2001 attacks on the twin towers, and allowed the government to scrutinise everything from “suspicious” bank accounts to wire-tapping lines of communication. Menaka Guruswamy, a lawyer at the Supreme Court of India, believes that unlike America, India does not yet have a codified view on privacy. “Privacy is a vast, fragile, and an open space in the Indian justice system,” she told Tehelka.

Though India doesn’t have clearly defined laws dealing with the issue of privacy, it does have certain directives under which surveillance methods such as wire-tapping can be done. Wire-tapping, which is regulated under the Telegraph Act of 1885, saw a major overhaul in a 1996 Supreme Court judgment, which ruled that wire-taps are a "serious invasion of an individual's privacy." The Supreme Court (SC) recognised the fact that the right to privacy is an integral part of the fundamental right to life enshrined under Article 21 of the Constitution, and therefore laid down guidelines defining who can tap phones and under what circumstances. Only the Union Home Secretary, or his counterpart in the states, can issue an order for a tap, and the government is also required to show that the information sought cannot to be obtained through any other means. The SC mandated the development of a high-level committee to review the legality of each wire-tap.

“Interceptions and intrusions by the state have often gone on to help exonerate people who have been falsely accused, so I think it would be unfair to demonise wire-tapping in general. One does have to ensure though, that those who intercept exchanges do not exceed limits,” said a former chief of the Research and Analysis Wing (RAW).

Besides the dimension of privacy versus surveillance, another important aspect which comes under the scanner when privacy laws are discussed is Internet banking. Details of personal bank accounts and other highly sensitive information of individuals have been whizzing around the cyber space with the advent of E-banking. Everything from booking tickets for movies and flights, to transferring money between accounts is happening via computers, and is happening fast. This growing trend has sparked a major debate on how safe is our information on the web, and what can the government do to secure it? In May 2000, the government passed the Information Technology Act, which laid down a set of laws intended to provide a comprehensive regulatory environment for electronic commerce.

The Act also addressed computer crimes such as hacking, damage to computer source code, breach of confidentiality and viewing of pornography and created a Cyber Appellate Tribunal to oversee and adjudicate cyber crimes. However, at the same time, the legislation gave broad discretion to law enforcement authorities through several provisions, such as Section 69, allowing the interception of any information transmitted through a computer resource and mandates that users disclose encryption keys or face a jail sentence up to seven years. Section 80 of the Act allows deputy superintendents of police to conduct searches and seize suspects in public spaces without a warrant.

“Confidentiality between banker and customer is the golden rule of traditional banking, but with the coming of E-banking, banks are using confidentiality as an excuse for not putting out data that shows how vulnerable they are to cyber crimes like hacking,” said N Vijayashankar, an E-business consultant, and a front runner in raising awareness about cyber laws in India. He said, “When framing privacy laws one has to ensure that banks are mandated to disclose data on breach of Internet security. That is the only way to ensure that banks take the necessary steps to secure customer information.” Malavika Jairam, a lawyer who focuses on technology and intellectual property, believes that allowing private participation in what should essentially be a sovereign State function is a dangerous path to tread on. “Tesco, a major retail chain in England, is now into E-banking… There are numerous examples of such private banking entities sharing customer information with insurance policy firms. These details are often used as markers for the kind of premium that will be set for a person,” Jairam said.

With the current pace of technological advancements fast thinning the line between individual privacy and public content, it remains to be seen what kind of privacy laws India will frame to keep up.

The original was published by Tehelka, Malavika Jayaram, a Fellow at CIS is quoted in it.

For more details visit https://cis-india.org/news/new-bill-to-decide-on-individual2019s-right-to-privacy

India needs an independent privacy law, says NGO Privacy India

praskrishna — 2012-02-03T11:46:22Z

India needs an independent privacy law though there are a number of provisions in existing legislations that protect a citizen's privacy, according to an NGO that is lobbying for the cause. The story was published in the Economic Times on 2 February 2012.

Privacy India, a conglomerate of the Centre for Internet and Society (CIS) and the Society in Action Group (SAG), with support from Privacy International, conducted a study of the existing laws in India related to privacy over a period of one and a half years in various cities.

A report, which will be released soon, has documented their findings about privacy laws and issues in India and high-level conclave and a national symposium on privacy will be held in Delhi on February 3 and 4.

Lawyer-activist Prashant Bhushan and NCPRI head Aruna Roy will take part in the discussions on privacy in transparency, e-governance initiatives, national security, banking and health issues.

"India doesn't have a privacy law, but there are provisions for it in different laws. During the course of the research, we found that the Indian judiciary has not been very strict in overseeing the implementation of the privacy clauses in various laws," CIS member Prashant Iyengar said, while reporting some of the findings of the study.

Stricter implementation of the existing laws could go a long way in curbing most privacy issues, Iyengar said.

Published in the Economic Times on 2 February 2012. Prashant Iyengar is quoted in this.

For more details visit https://cis-india.org/news/india-needs-an-independent-privacy-law-says-ngo-privacy-india

Do we need the Aadhar scheme?

sunil — 2012-02-03T10:11:24Z

"Decentralisation and privacy are preconditions for security. Digital signatures don’t require centralised storage and are much more resilient in terms of security", Sunil Abraham in the Business Standard on 1 February 2012.

We don’t need Aadhar because we already have a much more robust identity management and authentication system based on digital signatures that has a proven track record of working at a “billions-of-users” scale on the internet with reasonable security. The Unique Identification (UID) project based on the so-called “infallibility of biometrics” is deeply flawed in design. These design disasters waiting to happen cannot be permanently thwarted by band-aid policies.

Biometrics are poor authentication factors because once they are compromised they cannot be re-secured unlike digital signatures. Additionally, an individual’s biometrics can be harvested remotely without his or her conscious cooperation. The iris can be captured remotely without a person’s knowledge using a high-res digital camera.

Biometrics are poor identification factors in a country where the registrars have commercial motivation to create ghost identities. For example, bank managers trying to achieve targets for deposits by opening benami accounts. Biometrics for these ghost identities can be imported from other countries or generated endlessly using image processing software. The de-duplication engine at the Unique Identification Authority of India (UIDAI) will be fooled into thinking that these are unique residents.

An authentication system does not require a centralised database of authentication factors and transaction details. This is like arguing that the global system of e-commerce needs a centralised database of passwords and logs or, to use an example from the real world, to secure New Delhi, all citizens must deposit duplicate keys to their private property with the police.

Decentralisation and privacy are preconditions for security. The “end-to-end principle” used to design internet security is also in compliance with Gandhian principles of Panchayat Raj. Digital signatures don’t require centralised storage of private keys and are, therefore, much more resilient in terms of security.

Biometrics as authentication factors require the government to store biometrics of all citizens but citizens are not allowed to store biometrics of politicians and bureaucrats. The state authenticates the citizen but the citizen cannot conversely authenticate the state. Digital signatures as an authentication factor, on the other hand, does not require this asymmetry since citizens can store public keys of state actors and authenticate them. The equitable power relationship thus established allows both parties to store a legally non-repudiable audit trail for critical transactions like delivery of welfare services. Biometrics exacerbates the exiting power asymmetry between citizens and state unlike digital signatures, which is peer authentication technology.

Privacy protections should be inversely proportional to power. The transparency demanded of politicians, bureaucrats and large corporations cannot be made mandatory for ordinary citizens. Surveillance must be directed at big-ticket corruption, at the top of the pyramid and not retail fraud at the bottom. Even for retail fraud, the power asymmetry will result in corruption innovating to circumvent technical safeguards. Government officials should be required by law to digitally sign the movement of resources each step of the way till it reaches a citizen. Open data initiatives should make such records available for public scrutiny. With support from civil society and the media, citizens will themselves address retail fraud. To solve corruption, the state should become more transparent to the citizen and not vice versa.

UIDAI’s latest 23-page biometrics report is supposed to dispel the home ministry’s security anxieties. It says “biometric data is collected by software provided by the UIDAI, which immediately encrypts and applies a digital signature.” Surely, what works for UIDAI, that is digital signatures, should work for citizens too. The report does not cover even the most basic attack — for example, the registrar could pretend that UIDAI software is faulty and harvest biometrics again using a parallel set-up. If biometrics are infallible, as the report proclaims, then sections in the draft UID Bill that criminalise attempts to defraud the system should be deleted.

The compromise between UIDAI and the home ministry appears to be a turf battle for states where security concerns trump developmental aspirations. This compromise does nothing to address the issues raised by the Parliamentary Standing Committee on Finance, headed by the Bharatiya Janata Party’s Yashwant Sinha.

Read the original published in the Business Standard on 1 February 2012

For more details visit https://cis-india.org/internet-governance/do-we-need-the-aadhar-scheme

Google move is not good for netizens, say experts

praskrishna — 2012-02-03T10:03:17Z

Google's plan to merge data across 60 of its properties, which was announced last week, has drawn criticism from experts on the Internet, who are saying that this is detrimental to privacy. Balaji Narasimhan wrote this in the Hindu Business Line. The article was published on 31 January 2012.

"Google is doing what is good for shareholders. This is not positive for netizens,” said Mr Sunil Abraham, Executive Director, Centre for Internet and Society. “People like you and me have to either accept it or leave."

But what are the alternatives? Mr Somick Goswami, Director Consulting, PwC India, didn't want to comment directly on Google, but in the larger context of data privacy, he asked, "Do users want a free Internet or control over content? There is a lot of advocacy going around it. End of the day, when using the Internet, there has to be trust."

One way that Google could build trust could be by using something pertaining to loyalty, which retailers use in the real world in order to woo customers.

Mr Ram Menon, Executive Vice-President and Chief Technology Officer of Tibco, said that many of his clients make offers that are in context with what users want.

"For example, if you like cappuccino and this knowledge is known to a vendor, he can offer you a cappuccino when you walk past the store." He said that in such cases, there was no affront to privacy because the offer is relevant and in context. "You are a member and have opted in," he said.

Perhaps, the fact that all of Google's services are free has something to do with the privacy issue, pointed out the Australian Privacy Foundation. As its site privacy.org.au noted, "The company's business model is based on advertising revenue. Users pay no fees for their use of the services."

And the merger of its 60 policies apart, there is another issue worrying users — new acquisitions. As Mr Abraham pointed out, “When I was browsing Silk Smitha before YouTube was acquired by Google, I had no idea that one day this information would be known to Google."

And the issue becomes more serious in the context of a growing mobile workforce. As the Australian Privacy Foundation said, "Android mobile phones effectively trap users into having a Google user account."

Using Google services on a mobile – especially Google Latitude, a service that allows you to enable your friends to view your current location – allows Google to track your movements.

And since Google is predominantly an advertising-driven company, it could be argued that one day they might share information about you with a third party, enabling them to market to you more effectively, though this may not necessarily be done with your explicit permission – and this means that you may get an offer for products even if you have not opted in for such a service.

What can be done? Mr Abraham rued the fact that there are no specific laws to safeguard users.

"India needs privacy laws. In the US, law makers will create a fuss. In India, we are at the mercy of companies."

The original was published in the Hindu Business Line. Sunil Abraham is quoted in this article.

For more details visit https://cis-india.org/news/google-move-is-not-good-for-netizens-say-experts

Google’s privacy policy raises hackles

praskrishna — 2012-01-30T03:58:57Z

Have you ever used Google to search for a restaurant while you were logged in its network using your Google id? Or shared information about your trip to Goa with your friends on Google +? Or watched belly dance on YouTube? Or looked for Sunny Leone pictures on Google images? If yes, Google knows about it. Javed Anwer wrote on article on this. It is published in the Times of India on 26 January 2012.

And according to its new privacy policy it is going to put this information to some use.

The web giant says the new privacy policy will allow it to offer better services, including more relevant search results. But web experts have raised concerns over potential misuse of data and breach of privacy. According to Google's new privacy policy that will come into effect from March 1, the company is "getting rid of over 60 different privacy policies across Google services and replacing them with one that's shorter, easier to read" and something that will enable it to "create intuitive experience across Google" . Unlike in the past when Google had allowed users to choose personalized services, this time there is no option to opt out.

For an end-user this means that whatever information he shares through Google searches, Gmail, Google +, Picassa etc will be used to customize Google services for him. That the move is significant can be gauged from the fact that Google has provided a link to the new policy directly under its search engine on main page, something that the company rarely does. Google users will also be notified about the policy change through an email. "Our new privacy policy makes clear that, if you're signed in, we may combine information you've provided from one service with information from other services. In short, we'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience," said Alma Whitten, Google's director of privacy, in a post on the company's official blog.

Whitten gave some example of how this information will be used. "We can make search better - figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too," she wrote. "We can provide reminders that you're going to be late for a meeting based on your location , your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends' names, are accurate because you've typed them before."

The privacy policy from Google is at the heart of its new business strategy as it works to keep the search engine relevant and its services fresh in the face of social networking websites like Twitter and Facebook. It is also prompted by the proliferation of devices like smartphones and tablets. However, privacy experts are not amused. Sunil Abraham, director of Centre for Internet and Society, said the new changes are not good for a consumer's privacy.

"I understand that Google collects the data so that it can build a 360 degree profile of a user and based on the information serve relevant advertisements . But there is no reason for them to store this data for long. Storing data makes it prone to misuse by authorities as well as corporations," said Abraham. Another, problem, he said is that different services are used for different purposes. "I don't want my bakery shop owner to know what kind of medicines Ibuy from the nearby medical store," said Abraham.

Are you being watched?

What |

For an end-user the new policy means that whatever information he shares through Google searches, Gmail, Google+, Picassa, etc will be used to customize Google services for him

Why |

The privacy policy is at the heart of Google's business strategy as it tries to keep the search engine relevant in the face of social networking websites like Twitter and Facebook

Concerns |

It's instrusive as online activity is tracked; storing data makes it prone to misuse by authorities as well as corporations

The original was published in the Times of India. Sunil Abraham has been quoted in it.

For more details visit https://cis-india.org/news/google2019s-privacy-policy-raises-hackles

Privacy Matters — Analyzing the Right to "Privacy Bill"

natasha — 2012-02-15T04:27:28Z

On January 21, 2012 a public conference “Privacy Matters” was held at the Indian Institute of Technology in Mumbai. It was the sixth conference organised in the series of regional consultations held as “Privacy Matters”. The present conference analyzed the Draft Privacy Bill and the participants discussed the challenges and concerns of privacy in India.

The conference was organized by Privacy India in partnership with the Centre for Internet & Society, International Development Research Centre, Indian Institute of Technology, Bombay, the Godrej Culture Lab and Tata Institute of Social Sciences. Participants included a wide range of stakeholders that included the civil society, NGO representatives, consumer activists, students, educators, local press, and advocates.

Comments to the Right to Privacy Bill

Welcome

Prashant Iyengar was the Lead Researcher with Privacy India, opened the conference with an explanation of Privacy India’s mandate to raise awareness, spark civil action and promote democratic dialogue around privacy challenges and violations in India. He summarized the five “Privacy Matters” series previously organised across India in Kolkata on January 23, 2011, in Bangalore on February 5, 2011, in Ahmedabad on March 26, 2011, in Guwahati on June 23, 2011 and in Chennai on August 6, 2011.

Keynote Address

Na. Vijayashankar (popularly known as Naavi), a Bangalore based e-business consultant, delivered the key note address on the quest of a good privacy law in India.

He described the essential features of good privacy legislation. In analyzing the Draft Privacy Bill’s definition of the right to privacy, he suggested it should be defined through the “right to personal liberty” rather than through what constitutes “infringements”. Mr. Vijayashankar went on to explain that the “privacy right” should be taken beyond “information protection” and defined as a “personal privacy or a sense of personal liberty without constraints by the society”. He explained the various classifications and levels of protection associated with the availability and disclosure of data. He expressed concerns regarding monitoring of data processors and suggested that data controllers have contractual agreements between data processors, so as to ensure an obligation of data security practices. He also called for the simplification and division of offences and suggested numerous reasons as to why the Cyber Appellate Tribunal would not be an ideal monitoring mechanism or authority. See Naavi's presenation here

Session I: Privacy and the Legal System

Dr. Sudhir Krishnaswamy, Assistant Professor at the National Law School of India

Dr. Krishnaswamy started off the presentation by questioning the normative assumptions the Draft Privacy Bill makes. He referred to the controversy of Newt Gingrich's second marriage, to question the range of moral interests that were involved. The Bill falls short in accounting for dignity in relation to privacy.

He described the Draft Privacy Bill as a reasonable advance, given where privacy laws were before. Although, he feels that it does fall short, in terms of a narrow position, on what privacy law should do. He also questioned if it satisfies constitutional standards. He stressed the importance of philosophical work around the Draft Privacy Bill considering that the nature of privacy is not neat and over-arching.

Privacy and the Constitutional Law

N S Nappinai, Advocate, High Court, Mumbai,

Nappinai spoke on the constitutional right to privacy. She explained the substantial development of Article 21 of the Constitution of India to include the ‘right to privacy’ with regards to its interpretation and application. She described the different shift of the application of the right to privacy in the West in comparison to India. The West has moved from the right to privacy pertaining to property to the right to privacy concerning personal rights, whereas India moved from personal rights to property rights. She outlined three aspects of privacy: dignity, liberty and property rights.

Ms. Nappinai dissected the Bill in its major components: interception, surveillance, method and manner of personal data, health information, collection, processing and use of personal data. Using these components, she questioned what precedence exists? What should be further protected or reversed? What lessons should legislators draw from?

Shortcomings of the Draft Right to Privacy Bill falls include:

The objects and reasons section in the Draft Privacy Bill declares the right to privacy to every citizen as well as delineates the collection and dissemination of data. Nappinai dismisses the need for this delineation on the grounds that data protection is an inherent part of the right to privacy, it is not exclusive.
Large focus on transmission of data. The provisions do not account for property rights pertaining to the right to privacy. Therefore, the ‘knock-and-enter’ rule, the ‘right to be left alone’ and the ‘right to happiness’ should be included.
Applicability of the Bill should extend to all persons as well as data residing within the territory. It would be self-defeating if it only includes citizens, considering that the Constitution extends to all persons within the territory.
The right to dignity is unaccounted for.

See Nappinai's presentation here

Session II: Privacy and Freedom of Expression

Apar Gupta, Advocate, Delhi

Apar Gupta is an advocate based in Delhi who specializes in IP and electronic commerce law, spoke predominantly on the interplay between privacy and freedom of expression. He used the example of an advocate tweeting about his criticism of a judges’ ruling, to illustrate how different realms of online anonymity enable freedom of speech. He went beyond the traditional realm of journalistic architecture such as television channels or newspapers and explained online community disclosure.

Mr. Gupta provided a practical example of Indian Kanoon, a popular online database of Indian court decisions. Because Indian Kanoon is linked to the Google search engine, many individuals involved in civil and criminal matters have requested Indian Kanoon to remove the court judgments, under privacy claims. This particularly occurs with individuals involved in matrimonial cases. However, as court judgment constitute public records India Kanoon only removes court judgments when requested by a court order.

He described the several ways legislators can define privacy and freedom of expression. Considering that the privacy of an individual may border upon freedom of speech and expression, he questioned whether or not privacy should override the right to freedom of speech and expression. In addition, Mr. Gupta discussed the debate on whether or not the Privacy Bill should override all existing provisions in other laws.

Additionally, he analyzed the provisions of the Draft Privacy Bill using three judgments. In these judgments, different entities sought of various forms of speech to be blocked under privacy claims. He spoke about the dangers of a statutory right for privacy that does not safeguard freedom of speech and expression. Considering that the privacy statute may allow for a form of civil action permitting private parties to approach courts to stop certain publications, he stressed the importance for legislators to ensure balanced privacy legislation inclusive of freedom of speech and expression.

Sexual Minorities and Privacy

Danish Sheikh, researcher at Alternative Law Forum

Danish examined the status of sexual minorities in the light of privacy framework in India. The tag of decriminalization has served to greatly alter the way institutions approach the question of privacy when it comes to sexual minorities. He used the Naz Foundation judgment as a chronological marker to map the developments in the right to privacy and sexual minorities over the years.

He outlined four key effects on the right to privacy due to the Naz Foundation judgment:

Prepared the understanding of privacy as a positive right and placed obligations on the state,
Discussed privacy as dealing with persons and not just places, it took into account decisional privacy as well as zonal privacy,
Connected privacy with dignity and the valuable worth of individuals, and
Included privacy on one’s autonomous identity.

He described various incidents that took place before the Naz Foundation judgment, pre-Naz, that altered the way we conceived of queer rights in general and privacy in particular, including the Lucknow incidents, transgender toilets, passport forms, the medical establishment and lesbian unions. Post-Naz, he described two incidents including the Allahabad Muslim University sting operation as well as the TV9 “Expose” that captured public imagination.

He concluded by asking: “What do these stories tell us about privacy?” The issues faced by the transgender community tell us that privacy doesn’t necessarily encompass a one-size-fits-all approach, and can raise as many questions as it answers. The issues faced by the Lucknow NGOs display the institutionalized disrespect for privacy and that has marginally more devastating consequences for the homosexual community by the spectre of outing. The issues faced by lesbian women evidence yet another need for breaching the public/private divide, demonstrating how the protection of the law might be welcome in the family sphere. Alternate sexual orientation and gender identity might bring the community under a common rubric, but distilling the components of that rubric is essential for engaging in any kind of useful understanding of the community and the kind of privacy violations it suffers – or engage with situations when the lack of privacy is empowering.

Session III: Privacy and National Security

Menaka Guruswamy, Advocate, Supreme Court of India

Menaka explored national security and its relationship to privacy. In her presentation, she compared the similar manner in which the courts approach national security and privacy issues. The courts feel national security and privacy issues are too complex to define, therefore, they take a case-by-case approach.

Ms. Guruswamy described three incidents that urged her to question national security and privacy. First, she was interested in the lack of regulation surrounding intelligence agencies and was involved in the introduction of the Regulations of Intelligence Agencies Bill as a private members bill. Second, national security litigation between the Salwa Judum judgment and the State of Chhattisgarh is an example of how national security triumphs constitutional rights and values. Third, privacy in the context of the impending litigation of Naz Foundation in the Supreme Court. She described the larger conversation of national security focus on values of equality and privacy. She discussed the following questions that serve in advancing certain conception of rights:

How do we posit privacy which necessarily, philosophically as well as judicially, is carved out as the right of an individual to be left alone?
What are the consequences when national security, which is posited as the rights of the nation, is in conflict with the right of the individual to be left alone?
Considering that constitutional rights are posited as a public facet of citizenship how does a right to privacy play in that context?

Privacy and UID

R. Ramakumar, professor at the Tata Institute of Social Sciences

Prof. Ramakumar spoke on UID, its collection of information and the threat to individual privacy. First, he provided a historical trajectory of national security that has led to increased identity card schemes. He described the concrete connection between UID and national security.

He briefed the gathering on the objectives of the UID project. He described several false claims as proposed by the UIDAI. He explicitly disproved the UIDAI claim that Aadhaar is voluntary. He did this by comparing various legislations associated with the National Population Registrar that had provisions mandating the inclusion of the UID number.

He went on to explain that the misplaced emphasis of technology to handle large populations remains unproven. He described two specific violations of privacy inherent in the UID system: convergence of information and consent. The UID database makes it possible for the linking or convergence of information across silos. In addition, consent is unaccounted for in the UID system. The UID enrollment form requires consent from a person to share their information. However, the software of the enrollment form automatically checks ‘yes’, therefore you are not asked. Even if you disagree, it automatically checks ‘yes’. Default consent raises the important question, “to what extent are we the owners of our information?” and “what are the privacy implications?”

Mr. Ramakumar was once asked, by Yashwant Sinha in a Parliamentary Standing Committee meeting, “Is the Western concept of privacy important in developing country like India?”. Using this question posed to him, he stressed the importance of privacy to be understood as a globally valued right, entitlement and freedom. He also referred to Amartya Sen’s work on individual freedoms.

Conclusion

During the daylong consultation numerous questions and themes relating to privacy were discussed:

How is the right to privacy defined?
How can the Draft Privacy Bill redefine the right to privacy?
How can reasonable deterrence mechanisms be included?
Does duplication of the right to privacy exists in different statutes?
Is the Cyber Appellate Tribunal an ideal monitoring mechanism or authority?
What are the circumstances under which authorized persons can exercise the Right of privacy invasion?
How can the Draft Privacy Bill account for the right to dignity?
How much information should the State be allowed to collect?
How can citizens become more informed about the use of their information and the privacy implications involved?
What would be the appropriate balance or trade-off between security and civil liberties?
What are the dangers with permitting the needs of national security to trump competing values?
What are the consequences for the homosexual community, when faced with institutionalized disregard for privacy?

For more details visit https://cis-india.org/internet-governance/privacy-matters-analyzing-the-right-to-privacy-bill

Google to change privacy policy to use personal info of users

praskrishna — 2012-01-30T05:03:55Z

It is a warning for users of Google and other Social Networking sites. Who are using these sites for searching anything they want to know and sharing their personal life with friends, colleagues and relatives. If you have ever used Google for searching any place, restaurant or shared information about your personal life with your friends on Google and other social networking sites, or you have watched adult stuff on YouTube, if your answer is yes, Google knows about it. And according to its new privacy policy Google is going to put this information to some use. Sheetal Ranga's article was published in Punjab Newsline on 27 January 2012.

It is claimed by the web enormous that according to new privacy policy, better service will be provided to its users, including more relevant search results. And other side the web experts have expressed their concerns over potential misuse of data and defy of privacy. Google's new privacy policy will come into effect from 1 March 2012, said by Google.

Google provide service which will be shorter and easier to read and something that will enable it to create spontaneous experience across Google. Google had allowed users to choose personalized services; “unlike” this time there is no option to pick for the users.

The new policy of Google has made some people anxious over their privacy issues. The new policy is being adopted by Google, SafeGov monitors security issues for federal, state and local government is not happy with it.

A security analyst, Jeff ( SafeGov) said, "Google should not be data-mining information in e-mails, text messages, searches and documents that workers are putting into Google services. It’s a matter of not making government workers unnecessarily exposed to hackers and to inadvertent disclosures of information."

The Vice President of Google ,Amit Singh claims that Google’s new privacy policy for consumer data is antiquated by data privacy provisions in contracts with government agencies and other organization that use the paid version of Google Apps. Google will maintain our endeavor customers’ data in conformity with the confidentiality and security obligations provided to their domain, he said.

The new policy of Google has made some people edgy over their privacy issues. SafeGov monitors security issues for federal, state and local government agencies are very unhappy with the new policy of Google. It is also said by Sunil Abraham, director of Centre for Internet and Society that the new changes are not good for a consumer's privacy.

Director of privacy Alma Whitten has given some example of how this information will be used. "We can make search better - figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too," she wrote. "We can provide reminders that you're going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends' names, are accurate because you've typed them before."

Other side after the cross-checked the contract between Google and the city of Los Angele by Gould, claimed that he didn’t think through the consequences for government users.

Punjab Newsline published this story. Sunil Abraham was quoted in it.

For more details visit https://cis-india.org/news/google-to-change-privacy-policy